一、JumpServer 2.4.5 安装
1、环境准备
jumpserver 官网: https://www.jumpserver.org/
硬件配置 : 2个CPU, 4G 内存, 50G 硬盘(最低)
uname -r 3.10.0-862.3.2.el7.x86_64 cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core) #关闭防火墙 systemctl stop firewalld systemctl disable firewalld systemctl stop NetworkManager.service systemctl disable NetworkManager.service #关闭selinux setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
#修改字符集, 否则可能报 input/output error的问题, 因为日志里打印了中文 sed -i "s/LANG=en_US.UTF-8/LANG=zh_CN.UTF-8/g" /etc/locale.conf
2、安装 python3 和 python 虚拟环境
需要支持python3.6
#安装依赖包 yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git #安装python3 yum install python3 python3-devel -y #如果下载速度很慢, 可以换国内源,如果上面执行成果,请忽略国内的源 wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo yum -y clean all yum makecache
#建立 Python 虚拟环境 cd /opt python3.6 -m venv py3 #创建一个py3的虚拟环境 source /opt/py3/bin/activate #运行 Jumpserver 都要先运行source 命令, 以下所有命令均在该虚拟环境中运行 #自动化载入Python虚拟环境 git clone https://github.com/kennethreitz/autoenv.git echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc source ~/.bashrc
3、安装 Jumpserver
#安装 Jumpserver #下载或 clone jumpserver项目,项目提交较多 git clone 时较大, 你可以选择去 Github 项目页面直接下载zip包。 wget https://github.com/jumpserver/jumpserver/archive/refs/tags/v2.4.5.tar.gz tar xf v2.4.5.tar.gz mv jumpserver-2.4.5/ jumpserver #.env的作用是只要进入jumpserver的目录下就自动进入py3的环境中,首次进入会有询问,y即可。 echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env cd /opt/jumpserver/requirements yum -y install $(cat rpm_requirements.txt) #安装 Python 库依赖 vim requirements.txt #注释掉此行,否则后期报错AttributeError: module 'Crypto.Cipher.AES' has no attribute 'MODE_GCM' #pycrypto==2.6.1 pycryptodome==3.9.7 #增加此依赖包 pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/ #setup工具升级 pip install wheel -i https://pypi.doubanio.com/simple/ pip install -r requirements.txt -i https://pypi.doubanio.com/simple/
4、安装 Redis和mariadb
#安装redis yum -y install redis systemctl enable redis systemctl start redis #安装mariadb yum -y install mariadb mariadb-devel mariadb-server systemctl enable mariadb systemctl start mariadb # 生成随机数据库密码 DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m" #自己的密码要牢记,一定要摘记出来 VcSTydVmIizXlzLkJUqsJepA #非交互式创建数据库,授权 mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
5、修改 Jumpserver 配置文件
cd /opt/jumpserver cp config_example.yml config.yml #生成加密秘钥 并写入环境变量 SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc #生成预共享Token 并写入环境变量 BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc #修改conf.yml 配置文件 sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml #关闭DEBUG模式 sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml #修改日志级别 sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml #开启浏览器Session过期时间 sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml #将之前生成的数据库密码写入
6、运行 Jumpserver
#先初始化数据库 cd /opt/jumpserver/utils bash make_migrations.sh 出现一堆ok正常 #如果之前没有替换库包,出现报错解决办法 pip uninstall crypto pip uninstall pycryptodome pip install pycryptodome #删除jumpserver库 mysql -uroot drop database jumpserver; create database jumpserver default charset 'utf8'; #重新执行bash make_migrations.sh #启动jumpserver cd /opt/jumpserver ./jms start all -d #查看8080端口开没开 netstat -lntup|grep 8080
7、安装koko
更老的版本使用的 coco
#注意:版本和jumpserver保持一致 cd /opt/ wget https://github.com/jumpserver/koko/releases/download/v2.4.5/koko-v2.4.5-linux-amd64.tar.gz tar -xf koko-v2.4.5-linux-amd64.tar.gz mv koko-v2.4.5-linux-amd64 koko echo "source /opt/py3/bin/activate" > /opt/koko/.env cd /opt/koko && cp config_example.yml config.yml sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/koko/config.yml sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/koko/config.yml sed -i "s/# SHARE_ROOM_TYPE: local/SHARE_ROOM_TYPE: redis/g" /opt/koko/config.yml sed -i "s/# REDIS_HOST: 127.0.0.1/REDIS_HOST: 127.0.0.1/g" /opt/koko/config.yml sed -i "s/# REDIS_PORT: 6379/REDIS_PORT: 6379/g" /opt/koko/config.yml #启动koko ./koko -s start -d netstat -lntp #看下有没有5000和2222端口 #如果使用kubectl配置 cd koko && mv kubectl /usr/local/bin/ wget https://download.jumpserver.org/public/kubectl.tar.gz tar -xf kubectl.tar.gz chmod 755 kubectl mv kubectl /usr/local/bin/rawkubectl rm -rf kubectl.tar.gz
8、使用docker部署guacamole(方便就完了)
#安装docker-ce yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo yum makecache fast yum -y install docker-ce systemctl daemon-reload systemctl restart docker systemctl enable docker #docker运行guacamole docker pull jumpserver/guacamole:v2.4.5 docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://本机IP:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e GUACAMOLE_LOG_LEVEL=DEBUG --restart=always jumpserver/guacamole:v2.4.5
9、下载lina和luna
wget https://github.com/jumpserver/luna/releases/download/v2.4.5/luna-v2.4.5.tar.gz tar xf luna-v2.4.5.tar.gz mv luna-v2.4.5 luna wget https://github.com/jumpserver/lina/releases/download/v2.4.5/lina-v2.4.5.tar.gz tar xf lina-v2.4.5.tar.gz mv lina-v2.4.5 lina
10、配置 Nginx 整合各组件
yum -y install yum-utils vim /etc/yum.repos.d/nginx.repo cat > /etc/yum.repos.d/nginx.repo << EOF [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key EOF yum install -y nginx chown -R nginx:nginx luna chown -R nginx:nginx lina
1)修改Nginx配置文件
#配置nginx
cd /etc/nginx/conf.d
rm -rf /etc/nginx/conf.d/default.conf
cat > /etc/nginx/conf.d/jumpserver.conf << EOF
server {
listen 80;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files \$uri / /index.html;
alias /opt/lina/; # lina 路径, 如果修改安装目录, 此处需要修改
}
location /luna/ {
try_files \$uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000; # 如果koko安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器, 请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$http_connection;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location / { # 如果jumpserver安装在别的服务器, 请填写它的ip
rewrite ^/(.*)\$ /ui/\$1 last;
}
}
EOF
2)启动Nginx
nginx -t systemctl start nginx systemctl enable nginx
11、开始使用jumpserver
检查应用是否已经正常运行 服务全部启动后, 访问 http://IP, 访问nginx代理的端口, 不要再通过8080端口访问 默认账号: admin 密码: admin
二、jumpserver低版本升级至2.4.5
升级及迁移请保持 SECRET_KEY 与旧版本一致, 否则会导致数据库加密数据无法解密
首先2.5以上版本不支持社区版mariadb
其次2.5以上版本需升级数据库,2.6之后更需要升级redis>=5
最后,2.5以上版本使用官方文档安装就好
此次升级使用源mariadb及redis 如果是迁移到新机器,直接自行安装后,将数据库备份文件拷贝到新机器执行
PS:数据库备份
mysqldump -h127.0.0.1 -P3306 -ujumpserver -p jumpserver > /opt/jumpserver.sql
if grep -q 'COLLATE=utf8_bin' /opt/jumpserver.sql; then
cp /opt/jumpserver.sql /opt/jumpserver_bak.sql
sed -i 's@COLLATE=utf8_bin@@g' /opt/jumpserver.sql
sed -i 's@COLLATE utf8_bin@@g' /opt/jumpserver.sql
else
echo "备份数据库字符集正确";
fi
cd /opt/jumpserver
tar cf data.tar data
#剩下跟安装一样
安装mariadb后恢复数据到新数据库
mysql -uroot
create database jumpserver default charset 'utf8';
grant all on jumpserver.* to 'jumpserver'@'%' identified by '源数据库密码';
flush privileges;
use jumpserver;
source /opt/jumpserver.sql;
exit;
#将原数据中的conf.yml和data目录下内容复制到新目录jumpserver下
cd /opt/jumpserver
mv data data_bak
tar xf data.tar
#其余请参考安装步骤
三、使用编译方式安装guacamole 服务(未验证)
Apache Guacamole是无客户端远程桌面网关。它支持标准协议,例如VNC,RDP和SSH。我们称其为无客户端,因为不需要插件或客户端软件。多亏了HTML5,在服务器上安装了guacamole 之后,只需使用Web浏览器即可访问桌面。
# 下载tar包 cd /opt && wget -O docker-guacamole-v2.4.0.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz # 创建对应目录并和依赖包 mkdir /opt/docker-guacamole tar -xf docker-guacamole-v2.4.0.tar.gz -C /opt/docker-guacamole --strip-components 1 rm -rf /opt/docker-guacamole-v2.4.0.tar.gz && cd /opt/docker-guacamole wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz tar -xf guacamole-server-1.2.0.tar.gz wget http://download.jumpserver.org/public/ssh-forward.tar.gz tar -xf ssh-forward.tar.gz -C /bin/ && chmod +x /bin/ssh-forward # 安装依赖包 yum -y install cairo-devel libjpeg-turbo-devel libpng-devel libtool uuid-devel ffmpeg-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel # 安装 cd /opt/docker-guacamole/guacamole-server-1.2.0 # 预编译 ./configure --with-init-dir=/etc/init.d # 二进制编译及安装 make && make install #配置java环境 yum install -y java-1.8.0-openjdk # 创建对应目录 mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && chown daemon:daemon /config/guacamole/record /config/guacamole/drive && cd /config # 下载tomcat wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.38/bin/apache-tomcat-9.0.38.tar.gz # 解压 tar -xf apache-tomcat-9.0.36.tar.gz mv apache-tomcat-9.0.36 tomcat9 rm -rf /config/tomcat9/webapps/* # 修改配置文件 sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml && \ echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties # 其他设置 wget http://download.jumpserver.org/release/v2.4.0/guacamole-client-v2.4.0.tar.gz && \ tar -xf guacamole-client-v2.4.0.tar.gz && \ rm -rf guacamole-client-v2.4.0.tar.gz && \ cp guacamole-client-v2.4.0/guacamole-*.war /config/tomcat9/webapps/ROOT.war && \ cp guacamole-client-v2.4.0/guacamole-*.jar /config/guacamole/extensions/ && \ mv /opt/docker-guacamole/guacamole.properties /config/guacamole/ && \ rm -rf /opt/docker-guacamole #设置Guacamole 环境 export JUMPSERVER_SERVER=http://127.0.0.1:8080 echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN echo "export BOOTSTRAP_TOKEN=zxffNymGjP79j6BN" >> ~/.bashrc export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys echo "export JUMPSERVER_KEY_DIR=/config/guacamole/data/keys" >> ~/.bashrc export GUACAMOLE_HOME=/config/guacamole echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc export GUACAMOLE_LOG_LEVEL=ERROR echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc export JUMPSERVER_ENABLE_DRIVE=true echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc # 环境变量说明 JUMPSERVER_SERVER 指 core 访问地址 BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN 值 JUMPSERVER_KEY_DIR 认证成功后 key 存放目录 GUACAMOLE_HOME 为 guacamole.properties 配置文件所在目录 GUACAMOLE_LOG_LEVEL 为生成日志的等级 JUMPSERVER_ENABLE_DRIVE 为 rdp 协议挂载共享盘 # 启动 /etc/init.d/guacd start sh /config/tomcat9/bin/startup.sh
四、报错解决
1、启动jms 一会自动挂掉
#
source /opt/py3/bin/activate
cd /opt/jumpserver
./jms stop
ps aux | grep py3 | awk '{print $2}' | xargs kill -9 #确认启动jms_core前无遗留历史进程
rm -f tmp/*.pid
./jms start
